As we have often said, the greatest vulnerability in securing your system will be due to human error. Not due to maliciousness or incompetence, just mistakes that we all have made. Phishing is one of the most common methods of compromising your security, its goal to capture sensitive information. Since phishing often disguises itself as a friendly entity, it can be extremely difficult to recognize until it’s too late.
Further, computer users have a tendency to use passwords/logins that are easy to remember. This is human nature, and unless you have a strong credential policy in place, chances are your security is a risk to being compromised. Short of holding your team ‘hostage’ to an unpopular credential policy, what are your options to protect your business?
The answer to this question comes from an unexpected source: Google recently reported that since early 2017, they haven’t had a security breach due to phishing. The reason why they say this is due to their new policy which required their 85,000 employees to use a security ‘key’ to provide two-factor authentication (2FA) when logging into their accounts.
As Google noted: “We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said.
A security key is a physical device, using Near Field Communications (NFC), Bluetooth or a USB port, which connects to your device (laptop, tablet, phone, workstation) and requires you to physically insert the key and touch it with your finger to verify your identity. When using such a security measure, your using true 2FA, not the more common 2SV (2 step-verification) security measures.
Now let’s take a step back a moment and examine the difference between true 2FA and 2SV. When we think about an additional step of protection for our accounts, we are most familiar with and are speaking about 2SV, even though people often call it 2FA. Examples of 2SV are when your Gmail or Facebook account sends you an SMS or your workstation sends a code to your mobile device, to verify you are who you say you are. Once received, you input the code (which is one time use only), and your application will unlock.
Unlike true 2FA, 2SV is software driven, and if a hacker has remote access to your machine, they are able to acquire your credentials and gain access, even if you have 2SV. When we spoke about the VPNFilter malware, we mentioned that part of its programming is to act as ‘man-in-the-middle’, allowing the hacker to intercept and alter communications, bypassing security measures. This can affect any device on the network, including mobile devices, allowing the hacker to grab your SMS or the generated code before you receive it or alter it so it won’t work for you, while they retain the working version of it.
Moreover, 2SV relies only on one type of verification (something you know: a password/code), it just requires two instances of it. So your Facebook account requires a password (something you know) and then to verify it’s really you, it requires another password or code (again something you know). However, as we noted, since the ‘something you know’ is transmitted, it can be intercepted and be used by someone else.
True 2FA is immune to such attacks because it relies on two different and separate types of verification processes: something you have (a password) and something you have or are (a dedicated device and/or a fingerprint). When you use 2FA, the two authentication steps aren’t connected to each other and make it incredibly difficult for a cyber-criminal to gain access via phishing.
Further, requiring a device also prevents malware or bots from simply spamming random code in hopes of cracking your password. Since the security key requires you to physically be in possession of it, there’s no way a bot can obtain access to your account, even if they crack the password, they can’t press the sensor on the security key.
We welcomed the age of software-based security and still do, so I understand the reluctance to use a physical security device. However, the cybercriminals are getting smarter and more aggressive in their software-based attacks. So we’re getting ahead of the curve, protecting our team and our business and security keys seem to be the best option to do so.
At a starting price of around $20, these devices will more than pay for themselves saving time you would have spent enforcing credential policies or worse, having to update everyone’s credentials in case of a breach. There are a number of security manufacturers but you need to verify the keys are FIDO certified/U2F. Yubico and Feitian are the most popular, but there are others and with Google releasing their ‘Titan’ key shortly, security keys may finally get the attention they deserve.